Conquering the Barriers to Formal Specification Some recent developments in iuml-b and Event-B

Transcription

1 Conquering the Barriers to Formal Specification Some recent developments in iuml-b and Event-B Dr. Colin Snook

2 Co-authors and publications will appear here Outline of talk LOGO Of Partner or project appear here Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Thales AWE Sandia Future Directions

3 Background - University PhD Barriers to Formal Methods Empirical Assessment of Formal Methods Surveys of industrial users Formal experiments Difficulties of making (good) abstractions Prof. Rachel Harrison Diagrams help UML-B EU projects 00 - present Pussee Classical B for H/W design Rodin Event-B and the Rodin Platform Deploy Industrial deployment of Rodin INESS V&V of Railway model (UML) Advance Modelling Cyber Physical Systems Enable-S3 V&V of ACPS Prof. Michael Butler

4 with Rachel Harrison Practitioners' views on the use of formal methods: an industrial survey by structured interview, Information and Software Technology, 43, (4) Empirical assessments (before UML-B) Surveys of FM in industry Finding useful abstractions is difficult. J.Wordsworth, IBM Experiments on Understandability Formal specifications are no more difficult to understand than programs (Z v Java)

5 with Rozilawati Razali, Mike Poppleton & Paul Garratt, (008) Usability Assessment of a UML-based Formal Modelling Method Using Cognitive Dimensions Framework Human Technology: An Interdisciplinary Journal on Humans in ICT Environments Why does a diagram editor help? Premature Commitment Cognitive Dimensions of Notations (Thomas Green) Abstraction evaluate mitigate provide a common vocabulary for discussing many factors in notation, UI or programming language design Viscocity reduce Visual Modelling Tool

6 Motivation An approachable interface for newcomers to Event-B Provide diagrams to help visualise models make it easier to create models help explore abstractions Provide extra features to Event-B Lifting - instances Sequencing of events N.b. not trying to formalise UML

7 History of UML-B B-UML/UB (Matisse, Pussee) Based on Rational Rose UML tool (Stereotypes, textual annotations) Generated Classical B text Poor integration UML-B in Eclipse (first attempt) (Rodin) Eclipse based Rational Architect Profile using the UML Eclipse plug-in Generated Event-B for Rodin Mismatch between UML and Event-B Decided to deviate from UML

8 History of UML-B UML-B standalone (Rodin) EMF meta-model Generates a complete Rodin Event-B project Forced to do everything in diagrams iuml-b (Deploy, Advance) iuml-b as an extension to Event-B EMF meta-model of Event-B Extended for iuml-b iuml-b model is contained in a Machine (or Context) Generates Event-B into the parent Machine (or Context) Also supports hand written Event-B

9 with Rozilawati Razali & Mike Poppleton, (007) Comprehensibility of UML-based Formal Model A Series of Controlled Experiments At st ACM International Workshop on Empirical Assessment of Software Engineering Languages and Technologies (WEASELTech) 007. Empirical Assessments (assessing UML-B) Experiments on comprehensibility of UML-B UML-B helped students comprehend models ) v B ) v Event-B

10 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Thales AWE Sandia Future Directions

11 Overview of iuml-b Class Diagrams

12 Overview of iuml-b Class Diagrams

13 Overview of iuml-b State-machines

14 Overview of iuml-b State-machines Translation also supports lifting statemachines to Class instances

15 Overview of iuml-b State-machines

16 State-machine animation

17 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Enable-S3 Thales Enable-S3 AWE Sandia Future Directions

18 ENABLE-S3 ECSEL EU PROJECT Enable-S3 - Horizon 00 project Objective: establish cost-efficient cross-domain virtual and semi-virtual V&V platforms and methods for ACPS This project has received funding from the ECSEL Joint Undertaking under grant agreement No This Joint Undertaking receives support from the European Union s Horizon 00 research and innovation programme and Austria, Denmark, Germany, Finland, Czech Republic, Italy, Spain, Portugal, Poland, Ireland, Belgium, France, Netherlands, United Kingdom, Slovakia, Norway.

19 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Enable-S3 Thales Enable-S3 AWE Sandia Future Directions

20 ith Thai Son Hoang and Michael Butler, ASA Formal Methods Symposium 07 ttps://link.springer.com/chapter/0.007/ _6 Analysing Security protocols in iuml-b With Airbus (Munich) Security protocols for LAN communication in aircraft Modelled in iuml-b An un-proven PO may be a security flaw Use ProB Model checker to analyse the problem

21 Example system: Virtual LANs VLAN trunk VLAN Security property: A packet must only be seen by nodes in the same VLAN as the device that made it

22 VLAN DVCE creates a packet p p

23 VLAN Tags it for VLAN p

24 VLAN Sends it to SWCH p

25 VLAN SWCH sends it to SWCH p

26 VLAN SWCH removes the tag p

27 VLAN Sends it via its VLAN port to DVCE3 p

28 Native VLAN p DVCE creates a packet p

29 Native VLAN Tags it for VLAN p

30 Native VLAN Sends it to SWCH p

31 Native VLAN SWCH removes the unnecessary tag p

32 Native VLAN Sends it to SWCH p

33 Native VLAN SWCH sends it via its Native VLAN port to DVCE4 p

34 Approach Build an abstract model of the security property iuml-b Class diagrams show entity relationships We express the Security property as an invariant over entities

35 Abstract model of security property At this level we rely on conceptual properties The VLAN this packet is Intended for The VLANs this node is allowed to see Guard: PV(p) nv[{n}] The security property: PV(p) nv[{owner(p)}]

36 Approach Build an abstract model of the security property iuml-b Class diagrams show entity relationships We express the Security property as an invariant over entities Refine* to introduce the design that achieves the security iuml-b State-machines show the behaviour of the design Validate by animation

37 Refined model of security design Conceptual property is replaced Guard: p dom(tag) dv(n)=nativevlan Guard: p dom(tag) dv(n) = TV(tag(p))

38 Second Refinement: Tagging Gluing invariants relate conceptual properties to concrete design i.e. Gluing invariants are Design assumptions

39 Proof One proof cannot be proven automatically.. The prover cannot prove that removenativetag establishes the design assumption: p dom(tag) TV(tag(p)) = PV(p) Is it a real problem? It could be that the prover lacked sufficient power. We use the model checker to find a counter-example

40 Counter-example p

41 Counter-example p

42 Counter-example p

43 Counter-example DESIGN ASSUMPTION VIOLATED Packet p from DVCE of VLAN is tagged for VLAN p dom(tag) TV (tag(p)) = PV (p) p IS IT A REAL SECURITY BREACH? The design assumption could be too strong

44 Counter-example p

45 Counter-example p

46 Counter-example SECURITY BREACHED DVCE3 of VLAN receives packet p from a device of VLAN PV(p) nv[{owner(p)}] p

47 Summary of Approach If the design assumption (gluing invariant) is not proven Can model checker find a trace that violates the design assumption? No: a manual proof may be possible Can model checker find a trace that violates the security? No: design assumption may be too strong Yes: there is a security flaw. The trace illustrates the flaw > Examine the PO Invariant: the property that is violated Event: the step of the process that breaks it Goal: the action that breaks it ) Attack ) Design flaw 3) Security Breach

48 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Enable-S3 Thales Enable-S3 AWE Sandia Future Directions

49 with Michael Butler, Dana Dghaym, Tomas Fischer, Son Hoang, Klaus Reichl, Peter Tummeltshammer Formal modelling techniques for efficient development of railway control products, Submitted RSSRail 07 Railway Control Systems in iuml-b A Railway control system is a cyber-physical system Many devices/entities with relationships Entities have local behaviour Overall behaviour requires a system level process i.e. A process based on interactions between devices

50 with Michael Butler, Dana Dghaym, Tomas Fischer, Son Hoang, Klaus Reichl, Peter Tummeltshammer Formal modelling techniques for efficient development of railway control products, Submitted RSSRail 07 Railway Control Systems in iuml-b iuml-b Class diagrams show the entity-relationships iuml-b State-machines show the local (state-based) behaviour But the overall process is not clear in iuml-b Use Event Refinement Structure Diagrams to supplement iuml-b ERS diagrams were initially developed by Asieh Salehi and Michael Butler and extended by Dana Dghaym

51 with Michael Butler, Dana Dghaym, Tomas Fischer, Son Hoang, Klaus Reichl, Peter Tummeltshammer Formal modelling techniques for efficient development of railway control products, Submitted RSSRail 07 Paths ERS diagrams were initially developed by Asieh Salehi and Michael Butler and extended by Dana Dghaym

52 With Son Hoang, Dana Dghaym and Michael Butler Class-diagrams for Abstract Data Types ICTAC 07 Mathematical extensions in iuml-b New operators can be added to the Event-B notation using Theories (plug-in for Rodin) Operators correspond to entity associations, We would like to visualise these extensions using Class Diagrams Proposal (no tool support yet) The theory defines a new diagram node to represent the operator The node can be used on Class diagrams when the theory is in use

53 With Son Hoang, Dana Dghaym and Michael Butler Class-diagrams for Abstract Data Types ICTAC 07 Adding New Operators

54 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Enable-S3 Thales Enable-S3 AWE Sandia Future Directions

55 With Michael Butler, John Colley, Andrew Edmunds, Neil Evans, Neil Grant and Helen Marshall, (03) Modelling and Refinement in CODA At Refine. CODA Hierarchical Components Connectors timed buffers Component Operations Port Wake Self Wake Synchronised state-machines VHDL generation Developed for AWE Ltd But now open source respond to a value arriving on a port respond at a future point in time Same infrastructure as iuml-b

56 With Michael Butler, John Colley, Andrew Edmunds, Neil Evans, Neil Grant and Helen Marshall, (03) Modelling and Refinement in CODA At Refine. CODA

57 With Michael Butler, John Colley, Andrew Edmunds, Neil Evans, Neil Grant and Helen Marshall, (03) Modelling and Refinement in CODA At Refine. CODA When a value arrives on a port, The clock cannot progress until a PortWake operation has handled it

58 With Michael Butler, John Colley, Andrew Edmunds, Neil Evans, Neil Grant and Helen Marshall, (03) Modelling and Refinement in CODA At Refine. CODA - decomposition Using Shared event decomposition (Re-) composition machine

59 With Sophia Meacham Component modelling CODA is designed as a hardware modelling tool Timed channels We would like something similar but more general for iuml-b Looking at adding SysML style diagrams to iuml-b Block diagrams, internal block diagrams Work in progress

60 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Enable-S3 Thales Enable-S3 AWE Sandia Future Directions

61 with Karla Morris, (06), Reconciling SCXML Statechart Representations and Event-B Lower Level Semantics, HCCV Run completion + refinement Sandia want run-to-completion state-chart semantics E.g. Harel, UML, SCXML but with refinement Initial attempt Extended SCXML meta-model New attribute gives element refinement level Translate into iuml-b State-machine Many refinements from one SCXML statechart.. But we didn t capture the run to completion semantics

62 with Karla Morris, (06), Reconciling SCXML Statechart Representations and Event-B Lower Level Semantics, HCCV Run completion + refinement Second attempt Model the RC simulation engine SCXML_nextTrigger must not fire until all enabled user transitions have completed. Problem: If we strengthen the user guards, Weaken the completion guard

63 Outline of talk Motivation + History Overview of iuml-b Recent Industrial collaborations Airbus Enable-S3 Thales Enable-S3 AWE Sandia Future Directions

64 Future Directions Class Diagram to support new operators ( Theories ) Integration of ERS into iuml-b Component diagrams in iuml-b (like SysML) (de)composition as in CODA Other things driven by EnableS3 HUTN text persistence DSLs for configuring product-line to a specific customer

65 Thank you Questions?